Commit Graph

9 Commits

Author SHA1 Message Date
jared c13549f3da cinny: harden + version-control the webhook web-deploy (lotus_deploy.sh)
Lint / Python (ruff) (push) Successful in 21s
Lint / Python deps (pip-audit) (push) Successful in 50s
Lint / Secret scan (gitleaks) (push) Successful in 7s
Lint / Shell (shellcheck) (push) Failing after 14s
Lint / JS (eslint) (push) Successful in 24s
The live /usr/local/bin/lotus_deploy.sh (the `lotus-deploy` webhook target) was
never under version control and had rotted into two deploy-killing bugs that
froze chat.lotusguild.org on an old build:

1. CI gate: it waited on the WHOLE workflow run with a 15-min cap. Web CI shares
   the single act_runner with the slow Tauri desktop builds, so a web run could
   sit queued >15 min -> "result: timeout" -> deploy aborted. Now it gates only
   on the "Build & Quality Checks" commit-status context (build + unit tests),
   decoupled from "Trigger Desktop Build", and waits up to 45 min.

2. Dead element-call copy: `cp node_modules/@element-hq/element-call-embedded/...`
   under `set -e` aborted every deploy after the widget was forked to
   @lotusguild/element-call-embedded. The build already emits dist/public/
   element-call; replaced the copy with a presence check.

Also: rsync now excludes config.json so the app deploy stops clobbering the
production runtime config (homeserver list / allowCustomHomeservers) that the
matrix repo owns. lxc106-cinny.sh now installs this script (syntax-checked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 18:10:10 -04:00
jared d6fd323262 cinny: enable mozilla.org (OIDC/next-gen-auth homeserver)
Lint / Shell (shellcheck) (push) Successful in 10s
Lint / JS (eslint) (push) Successful in 21s
Lint / Python (ruff) (push) Successful in 15s
Lint / Python deps (pip-audit) (push) Successful in 59s
Lint / Secret scan (gitleaks) (push) Successful in 9s
Now that the client supports MSC3861 OIDC login, add mozilla.org to the
homeserverList and its origins to the CSP. mozilla delegates: homeserver ->
mozilla.modular.im, OIDC issuer -> chat.mozilla.org, identity -> vector.im.
- connect-src += mozilla.org mozilla.modular.im chat.mozilla.org vector.im
- img-src += mozilla.org mozilla.modular.im
Applied live to LXC 106 and synced here.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 16:58:48 -04:00
jared b39e3594d5 cinny: allow matrix.org media in CSP img-src
Lint / Shell (shellcheck) (push) Successful in 9s
Lint / JS (eslint) (push) Successful in 5s
Lint / Python (ruff) (push) Successful in 5s
Lint / Python deps (pip-audit) (push) Successful in 36s
Lint / Secret scan (gitleaks) (push) Successful in 6s
Federated matrix.org users load avatars/images from their own media endpoint
(matrix-client.matrix.org), which img-src still blocked — so every avatar
tripped a CSP violation. Add https://matrix.org + https://*.matrix.org to
img-src to match connect-src. (media-src already allows https: so video/audio
were fine.) Applied live to LXC 106 and synced here.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 14:49:08 -04:00
jared 40ceb43672 cinny: version-control the production nginx site config
Lint / Shell (shellcheck) (push) Successful in 7s
Lint / JS (eslint) (push) Successful in 6s
Lint / Python (ruff) (push) Successful in 5s
Lint / Python deps (pip-audit) (push) Successful in 50s
Lint / Secret scan (gitleaks) (push) Successful in 9s
The chat.lotusguild.org nginx config (LXC 106) was edited directly on the box
and never tracked — which is how its CSP drifted (kept a dead Sentry URL and
blocked matrix.org logins). Snapshot it as cinny/nginx.conf (verbatim from prod,
incl. the corrected connect-src that now allows matrix.org/*.matrix.org) and
deploy it via lxc106-cinny.sh: back up the live file, swap, `nginx -t`, and
reload only on success (auto-restore the backup if validation fails, so a bad
config can't take the site down). TLS terminates at the NPM proxy, so this is a
plain HTTP server block with no secrets.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 13:14:49 -04:00
jared 45444e5118 cinny: allow matrix.org logins on the Lotus client
Lint / Shell (shellcheck) (push) Successful in 12s
Lint / JS (eslint) (push) Successful in 6s
Lint / Python (ruff) (push) Successful in 5s
Lint / Python deps (pip-audit) (push) Successful in 1m14s
Lint / Secret scan (gitleaks) (push) Successful in 9s
Add matrix.org to homeserverList so federated friends with matrix.org accounts
can sign into chat.lotusguild.org. defaultHomeserver stays 0 (lotusguild), and
allowCustomHomeservers stays false — only the two listed servers are selectable,
so the client isn't opened up to arbitrary homeservers.

Deploys via lxc106-cinny.sh (cp -> /var/www/html/config.json); lotus-build.sh
preserves the live config across app rebuilds, so this is the authoritative copy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 11:27:43 -04:00
jared ffff199b7f Fix NODE_OPTIONS heap size for Vite build (896MB → 6144MB)
Lint / Shell (shellcheck) (push) Successful in 11s
Lint / JS (eslint) (push) Successful in 12s
Lint / Python (ruff) (push) Successful in 5s
Lint / Python deps (pip-audit) (push) Successful in 40s
Lint / Secret scan (gitleaks) (push) Successful in 5s
OOM observed during rendering-chunks phase at 896MB and 3072MB.
6144MB heap with 8GB LXC memory is confirmed working.
Also update README rebuild command to match.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 20:34:14 -04:00
jared 7f7ddd3e3c Switch Lotus Cinny from nightly dev to stable-release fork workflow
Lint / Shell (shellcheck) (push) Successful in 9s
Lint / JS (eslint) (push) Successful in 7s
Lint / Python (ruff) (push) Successful in 5s
Lint / Python deps (pip-audit) (push) Successful in 55s
Lint / Secret scan (gitleaks) (push) Successful in 5s
- Replace nightly build script with daily upstream release checker
  (cinny/upstream-check.sh) — posts to Matrix as LotusBot when a new
  cinnyapp/cinny stable release is published
- Add cinny/lotus-build.sh — merges latest release tag into the lotus
  branch, builds, deploys; triggered via !cinny-update webhook
- Fork lives at code.lotusguild.org/LotusGuild/cinny (lotus branch, v4.11.1)
- deploy/hooks-lxc106.json — adds cinny-build webhook endpoint (port 9000)
- Update landing page: "dev branch / nightly" → "Lotus fork / stable releases"
- Set LotusBot avatar on @hookshot_tinker-tickets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 16:57:35 -04:00
jared 735c1eb30e ci: add lint workflow, shellcheck fixes, and CI failure hookshot alert
Lint / Shell (shellcheck) (push) Has been cancelled
Lint / JS (eslint) (push) Has been cancelled
- .gitea/workflows/lint.yml: new workflow running shellcheck on .sh files
  and eslint on hookshot/ JS transform scripts
- hookshot/.eslintrc.json: declare data/result as hookshot globals
- hookshot/ci-alert.js: new Matrix hookshot transform for CI failure alerts
- hookshot/deploy.sh: fix SC2155 (split local/assign), SC2034 (remove unused var)
- systemd/livekit-clear-port.sh: fix SC2148 (invalid shebang escape)
- cinny/dev-update.sh: fix SC2115 (use ${WEB_ROOT:?} to guard rm -rf)
- deploy/lxc151-hookshot.sh: add shellcheck source=/dev/null for sourced file
- .gitignore: ignore node_modules/
- package.json + package-lock.json: eslint@8 dev dependency

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 16:25:39 -04:00
jared 0e275d725e refactor: replace old bot code with Matrix infra configs and scripts
- Remove obsolete Python bot (Wordle, commands, callbacks, welcome)
- Add hookshot/ — all 11 webhook transformation functions + deploy.sh
- Add cinny/ — config.json and dev-update.sh (nightly dev branch build)
- Add landing/ — matrix.lotusguild.org landing page HTML
- Add systemd/ — livekit-server, draupnir, cinny cron unit files
- Add draupnir/ — production config (access token redacted)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 10:36:51 -04:00